Preserving the Privacy of Genetic Information Ann Cavoukian, Ph.D.Information and Privacy Commissioner Ontario, Canada University of Toronto Biotechnology Law and Policy January 16, 2013
Presentation Outline1. What is Privacy?2. Privacy by Design: The Gold Standard3. What is Genetic Information?4. Issues Relating to the Use of Genetic Information5. Does Genetic Information Require Special Data Protection?6. Issues Relating to Research Biobanks7. Conclusions
Early IPC Papers on Genetics and Privacy• Genetic Engineering: The Ultimate Threat to Privacy, Ann Cavoukian, Ph.D., – International Workshop on Access and Privacy Laws – April 14, 1989;• Confidentiality Issues in Genetics: The Need for Privacy, Ann Cavoukian, Ph.D., – Symposium of the Council of Europe on Biometrics, France – November 30, 1993;• Genetic Privacy: The Right “Not to Know,” Ann Cavoukian, Ph.D., – 10th World Congress on Medical Law, Israel – August 28, 1994; www.ipc.on.ca
“I will focus my comments primarily on the workplaceand the prospect of using genetic screening in workplacehiring practices to detect certain diseases, traits orbehavioral disorders which prospective employees maybring with them to the job. It may be used to detect bothoccupational and non-occupationally-related traits. It isin this area, as well as that of the insurance industry,where I believe the greatest discrimination will arise: thepotential exists for creating a class of people who maybecome unemployable and uninsurable.” — Ann Cavoukian, Ph.D., Confidentiality Issues in Genetics: The Need for Privacy, Symposium of the Council of Europe on Bioethics, France, November 30, 1993 www.ipc.on.ca/english/Resources/Presentations-and-Speeches/Presentations-and-Speeches-Summary/?id=101
What is Privacy?• Informational Privacy: Data Protection • Freedom of choice; control over one’s information; informational self-determination; • Personal control over the collection, use and disclosure of any recorded information about an identifiable individual.
Fair Information Practices: A Brief History• OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980;• CSA Model Code for the Protection of Personal Information, 1996;• EU Directive on Data Protection, 1998;• Canada Personal Information Protection and Electronic Documents Act (PIPEDA), 2000;Ontario:• Freedom of Information and Protection of Privacy Act (FIPPA), 1988;• Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), 1991;• Personal Health Information Protection Act (PHIPA), 2004.
How is Genetic Information Protected in Canada?• Canadian Charter of Rights and Freedoms:• Federal, provincial and territorial privacy statutes: - Public sector privacy and access legislation; - Private sector privacy legislation; - Health sector privacy legislation;• Federal, provincial and territorial human rights statutes;• Professional codes, standards of practice and ethical duties of confidentiality of health professions;• Provincial laws governing regulated health professions.
Why We Need Privacy by Design Most privacy breaches remain undetected – as regulators, we only see the tip of the iceberg The majority of privacy breaches remain unchallenged, unregulated ... unknownRegulatory compliance alone, is unsustainable as the sole model for ensuring the future of privacy
Adoption of “Privacy by Design” as an International StandardLandmark Resolution Passed to Preserve the Future of PrivacyBy Anna Ohlden – October 29th 2010 - http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacyJERUSALEM, October 29, 2010 – A landmark Resolution byOntarios Information and Privacy Commissioner, Dr. Ann Cavoukian,was approved by international Data Protection and PrivacyCommissioners in Jerusalem today at their annual conference. Theresolution recognizes Commissioner Cavoukians concept of Privacyby Design - which ensures that privacy is embedded into newtechnologies and business practices, right from the outset - as anessential component of fundamental privacy protection. Full Article: http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy
Privacy by Design: The 7 Foundational Principles1. Proactive not Reactive: Preventative, not Remedial;2. Privacy as the Default setting;3. Privacy Embedded into Design;4. Full Functionality: Positive-Sum, not Zero-Sum;5. End-to-End Security: Full Lifecycle Protection;6. Visibility and Transparency: Keep it Open;7. Respect for User Privacy: Keep it User-Centric. www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf
Ontario’s Personal Health Information Protection Act (PHIPA)The definition of personal health information includespersonally identifying information about an individualin oral or recorded form, if the information: • Relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family; or • Relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance.
What is Genetic Information?• “Biological samples” can be defined as biological material in which DNA (deoxyribonucleic acid) is present and which contain the genetic makeup of an individual. — EC Directive on Data protection, 1995• “Genetic data” is information about heritable characteristics of individuals. — UNESCO International Declaration on Human Genetic Data, 2003• In Canada, “genome" is defined as the totality of the DNA (deoxyribonucleic acid) sequence of a particular cell. — Assisted Human Reproduction Act, 2004
U.S. Definition of Genetic Information• The Genetic Information Nondiscrimination Act defines “genetic information” as information about: – an individual’s genetic tests; – genetic tests of the individual’s family members; – genetic tests of any fetus of an individual or family member who is a pregnant woman, and genetic tests of any embryo legally held by an individual or family member utilizing assisted reproductive technology; – the manifestation of a disease or disorder in the individual’s family members; – any request for or receipt of genetic services or participation in clinical research that includes genetic services (genetic testing, counseling, or education) by an individual or family member.• The Genetic Information Nondiscrimination Act does not define genetic information to include information about the sex or age of any individual.• A ‘genetic test’ is defined as an analysis of human DNA, RNA, chromosomes, proteins, or metabolites that detects genotypes, mutations, or chromosomal changes.
Primer on Genetics• DNA is the chemical compound that contains the instructions needed to develop and direct the activities of nearly all living organisms;• An organism’s complete set of DNA is called its genome – approximately 3 billion DNA base pairs make up the human genome;• DNA sequencing means determining the exact order of bases in a string of DNA;• Researchers can use DNA sequencing to search for genetic variations that may play a role in the development or progression of a disease;• DNA research also makes possible the prospect of “personalized medicine” – individualized care and treatment based on the unique genetic makeup of every individual and the molecular nature of diseases.
Unique Features of Genetic Information• Identifying – not only at an individual level but also family or parentage level;• Ubiquitous – can be gathered from a small amount of material and is permanent rather than transitory information;• Longevity – can be kept for indeterminate lengths of time, making access and reuse for future purposes possible;• Predictive – highly predictive for some single gene disorders (e.g., Huntington’s disease), less predictive for most other disorders;• Individual and familial in nature – this poses unique concerns relating to privacy.
How is Genetic Information Used?• Predict, diagnose, treat and prevent health conditions;• Personalize medicine;• Reproductive decision making, family planning and paternity testing;• Insurance and employment to assess risks and susceptibility to toxins;• Law enforcement – forensic identification;• Research – biobanks.
Trends in Genetic Information• Growth in publicly funded research biobanks (e.g., Canadian Longitudinal Study on Aging, CartaGene, Ontario Health Study);• Growth in access to genetic testing in health care settings and through genetic testing companies;• Research projects making genetic information available in the public domain (e.g., George Church’s Personal Genome Project);• Websites encouraging the sharing of health information (e.g., Patients Like Me);• Genetic testing is becoming cheaper and faster;• Predictive capacity of genetic tests increasing.
Issues Relating to theUse of Genetic Information
Problems in Using Genetic Information• Over-information: testing may reveal personal information about an individual, as well as his or her family members;• May not necessarily be predictive – may only indicate a predisposition;• When genetic information is used for a secondary purpose outside of a medical or research context, it may result in discrimination, particularly in insurance and employment contexts;• Any non-medically required genetic testing may interfere with an individual’s right “not” to know.
The Right to Know or “Not” to Know• Historically, maintaining the ability to control one’s personal information has revolved around the concept of the “right to know” – namely, the right of access to one’s own personal information that others may have in their custody and control;• In the context of genetic testing and the information arising from it, however, the right to know may be transformed into the right “not to know;”• Genetic tests may reveal information that an individual wishes “not to know” such as non-paternity or certain risk factors for conditions that are not amenable to treatment (no known cure).
Predictive Value of Genetic Information• Most diseases involve interactions among numerous genes, environmental factors, life style choices, etc. (e.g., arthritis, heart disease, most cancers);• Single gene disorders are rare and predictive value varies;• For a highly penetrant single-gene disorder, a test result is determinative (e.g., Huntington’s disease);• Other single-gene positive test results may not predict the development of a given condition (e.g. BRCA-gene associated with hereditary breast-cancer);
Genetic Testing and Employment• May be used by employers to avoid the hiring of individuals they believe are likely to: • have a high risk of absenteeism; • take a stress or sick leave; • resign or retire early for health reasons; • file for workers compensation; or • use health care benefits excessively.
Genetic Testing and Insurance• Individuals are required to disclose information necessary to assess risk, including medical and family history;• Insurance companies can exclude individuals with higher risks or applicants may hide risk status;• If insurance companies are permitted to request the results of genetic testing, individuals may avoid medically-indicated genetic tests out of insurability concerns;• Forcing individuals to undergo genetic testing, may interfere with one’s right “not to know.”
Attitudes about Genetic Testing• Half of the Canadians surveyed indicated that genetic testing raised issues around privacy;• Residents of Ontario, women and university-educated Canadians were more concerned than other Canadians;• Concerns included confidentiality and privacy of information, use of genetic test results for unintended purposes and the potential impact on insurance coverage;• Over two-thirds of Canadians opposed the use of genetic testing to determine who is insurable and at what premiums, while only one in ten supported it;• More than eight in ten Canadians opposed employers use of genetic tests to make hiring and promotion decisions, while only one in ten favoured it.
Does Genetic InformationRequire Special Protection? (Yes!)
Does Genetic Information Require Special Protection?The overarching question is threefold: • Although genetic information is currently protected under existing privacy and human rights legislation, does this legislation provide sufficient protection? • If not, is additional legislation required? • What is the best way to protect genetic information?
Genetic Exceptionalism• In Article 4 of the UNESCO International Declaration on Human Genetic Data, human genetic information is given a special status, since; (a) it can be predictive of genetic predispositions concerning individuals; (b) it has a significant impact on the family; (c) it contains information the significance of which is not necessarily known at the time of the sample and; (d) it has a cultural significance for certain persons/groups.
Of Volume, Depth and Speed• Professors Lisa Austin and Trudo Lemmens argued that there is a need for appropriate regulatory measures with regards to genetic testing and privacy due to: 1. The volume of information that may be extracted from one sample; 2. The speed of testing; 3. Its link with computer technology.
International Legislation and Conventions for Genetic Information – Some Examples• Helsinki Declaration: Recommendations Guiding Physicians in Biomedical Research;• The UNESCO International Declaration on Human Genetic Data;• EU Data Protection Directive;• Human Genome Organization Statement on Human Genetics Databases;• Bilbao Declaration;• Council of Europe, Convention on Human Rights and Biomedicine;• European Convention on Human Rights;• U.S. Genetic Information Nondiscrimination Act of 2008.
Canadian Expert on Genomics – Professor Bartha Knoppers• Director of the Centre of Genomics and Policy, Faculty of Medicine, Dept. of Human Genetics, McGill University;• Former Chair of the International Ethics Committee of the Human Genome Organization (HUGO);• Member of the International Bioethics Committee of the United Nations, Educational, Scientific and Cultural Organization (UNESCO) which drafted the Universal Declaration on the Human Genome and Human Rights;• Founded the Population Project in Genomics and CARTaGENE;• Served on the Board of Genome Canada.
U.S. GINA• The Genetic Information Nondiscrimination Act (GINA) is a federal law in the U.S. that prohibits discrimination in health insurance coverage and employment, based on genetic information;• GINA provides a baseline level of protection against genetic discrimination; individual state laws may have additional protections;• GINA prohibits health insurers or health plan administrators from requesting or requiring genetic information of an individual or an individual’s family members, or using it for decisions regarding coverage or pre-existing conditions, or even asking if a genetic test has ever been conducted.
CalGINA• The California Genetic Information Nondiscrimination Act (CalGINA) came into effect on January 1, 2012;• CalGINA amends existing anti-discrimination laws to prohibit genetic discrimination in areas such as housing, mortgage lending, education and public accommodations;• CalGINA extends the protection provided by the federal GINA to additional areas.
Canada – Not Much Luck: Bills C-508 and C-445• A private member’s bill was introduced unsuccessfully in 2010 to prohibit discriminatory practices based on genetic characteristics;• A similar private member’s bill was again introduced in October, 2012 and is pending before Parliament;• Neither bill included a definition of “genetic testing” or “genetic characteristics;”• Private member’s bills rarely result in legislation.
Canada – Insurance and Genetic Information• The Canadian Life and Health Insurance Association (CLHIA) has issued a Position Statement on the use of genetic information;• It states that insurers will not require an applicant to undergo genetic testing, but if testing has been conducted and the information is available, insurers will request access and expect to see test results;• This is the opposite of what is permitted in the U.S. in the context of health insurance.
UK – Insurance and Genetic Information• The Association of British Insurers and the Government have agreed on a voluntary moratorium, recently extended to 2017, on the use of predictive genetic test results for life insurance policies under £500,000 or critical illness policies under £300,000;• Above these amounts, insurers can only use genetic test results if the test, the disease and product have been approved;• Currently, insurers may only use genetic test results for Huntington’s disease when selling life insurance.
Germany – Insurance and Genetic Information• In 2009, the German Federal Parliament passed the Human Genetic Examination Act which prohibits insurers from demanding genetic examinations or analyses or demanding the results of such examinations or analyses, except in limited circumstances;• Insurers may only request genetic test results for life insurance, occupational disability insurance and pension insurance where the policy pays out more than €300,000 or an annuity of more than €30,000 annually.
Council of Europe – Insurance and Genetic Information• The Council of Europe issued a Consultation Document on Predictivity, Genetic Testing and Insurance in 2012;• The goal of the consultation was to elicit comments on a legislative framework to protect genetic information;• The issue of whether to legislate in respect of genetic information in the insurance context remains unresolved in Europe.
Research Biobanks• There is a trend towards setting up large scale population biobanks and establishing collaborations among biobanks to study the widest possible range of gene-gene, gene- environment and gene-lifestyle interactions;• Growing pressure to publicize research results and raw data from medical journal editors, funding agencies, and other regulatory bodies;• For example, the National Institutes for Health Research (NIHR) and the Canadian Institutes of Heath Research (CIHR) have “public access” policies related to research results, which must be respected.
Case Study: Iceland Commercialization of Gene Pool• In 1999, Iceland’s parliament approved the creation of a health sector database;• The legislation gave a single company, deCODE Genetics, monopoly to create a comprehensive genetic database for the entire population of 280,000 people;• Iceland’s advantages as a site of population research include its relatively homogeneous population, national health system with extensive stores of health data, and detailed genealogical records;• Individuals could opt out of having their information included – by 2001, 7% of the population had opted out;• The Icelandic Medical Association (IMA) launched a worldwide campaign to protest the commodification of an individual’s DNA.
Iceland: Privacy and Trust• In a report to the World Medical Association, Iceland’s doctors cited these specific concerns:• Invasion of privacy: The IMA describes the plan as a “great threat to personal privacy. The data in the database are encrypted but not anonymous; a key is available to connect names to the coded information;”• Breach of patient–physician trust: Iceland’s doctors argue that the transfer of medical records to third parties will undermine the confidence between patients and physicians;• Ethics: “Is it ethical to sell or give away individual genetic data without obtaining informed consent from patients?” … No!
Iceland: Supreme Court• In 2004, Iceland’s Supreme Court ruled that that the law creating the database did not comply with the countrys privacy protections;• Article 71 of the Icelandic constitution: “Everyone shall enjoy the privacy of his or her life, home and family;”• The court also ruled that simply removing or encrypting information such as name and address were not sufficient to prevent the identification of individuals in the database;• The ruling created a legal precedent for living relatives seeking to prevent the transfer of their records into the database.
Iceland: Lessons Learned• Failure to ensure that the Data Protection Commissioner and the Icelandic Medical Association were on board impeded construction of the database;• Before the end of 2003, deCODE Genetics announced that it did not expect to ever construct or operate the health sector database authorized by the legislation and proceeded to construct a database based on informed consent;• Iceland is now invoked as a bad model for handling consent and other ethical and legal aspects of state-sponsored genomics;• Has led to international agreement that encryption architectures cannot replace informed consent for population genomics projects.
Consent Issues in the Context of Genetic Information• Can an individual consent to the collection, use and disclosure of genetic information that has implications for extended family members?• Since genomics projects are longitudinal and open-ended and risks cannot be identified in advance, can consent for future uses be truly considered to be “informed?”• Proposed alternative forms of consent include one-time, project specific consent; presumed consent (opt-out consent); blanket or open consent; an authorization model (e.g., through directives); reconceptualizing research as a primary use to enable reliance on implied consent.
Anonymized and Aggregate Genetic Information• Genetic data which has been anonymized or aggregated does not have the potential to be identified;• Where there is no reasonable possibility of identifying a specific individual, either directly, indirectly, through manipulation or linkage of information, there is no need to provide privacy protections (Health Insurance Portability and Accountability Act);• Under PHIPA, “identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual;• Only identifying information is included in the definition of personal health information in PHIPA.
Can Genetic Information be De-identified?• Some argue that genetic information can never be de- identified, for example, even a few dozen gene markers may provide enough data to uniquely identify an individual;• Dr. Khaled El Emam has described methods that may be used to ensure that the risk of re-identification is very low, but notes that improved methods for de-identification of genome sequences or genomic data are needed;• Even if parts of a DNA sequence are suppressed, a skilled geneticist can most likely reconstruct the missing sequences.
Designing Genetic Information Policy“The routine availability of identifiable geneticinformation about individuals may have effects that reachfar beyond the provision of medical care. As the amount ofdetailed genetic information grows, society may berequired to re-examine the basic principles of health andlife insurance, review the rules that govern employmentand hiring, reconsider the confidentiality rules that arepart of the doctor-patient relationship, and in general,re-assess the way in which individuals are categorized andtreated in a variety of social and economic relationships.” U.S. Congress, house of representatives, committee on government operations, Designing Genetic Information Policy Washington D.C., 1992
Conclusions• Genetic information raises serious privacy and human rights issues, not only for the individual, but their families as well;• In Canada, genetic information is currently protected by federal, provincial and territorial privacy and human rights statutes, but not as well as in the United States and other jurisdictions;• The U.S., EU and U.K., have gone much further than Canada, introducing legislation to prevent genetic information from being used to discriminate, in employment and insurance contexts;• This begs the question of whether genetic information requires further protection in Canada – I believe it does;• We must embed Privacy – by Design, into all systems involving genetic information, and doe so now, otherwise we will be courting Privacy – by Disaster.
How to Contact UsAnn Cavoukian, Ph.D.Information & Privacy Commissioner of Ontario2 Bloor Street East, Suite 1400Toronto, Ontario, CanadaM4W 1A8Phone: (416) 326-3948 / 1-800-387-0073Web: www.ipc.on.caE-mail: firstname.lastname@example.orgFor more information on Privacy by Design, please visit: www.privacybydesign.ca